Interactive packet replay

Description

This attack allows you to choose a specific packet for replaying (injecting). The attack can obtain packets to replay from two sources. The first being a live flow of packets from your wireless card. The second being from a pcap file. Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools. Reading from a file is an often overlooked feature of aireplay-ng. This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. A common use of reading a file containing a packet your created with packetforge-ng.

In order to use the interactive packet replay successfully, it it important to understand a bit more about the wireless packet flow. You cannot simply capture and replay any packet. Only certain packets can be replayed successfully. Successfully means that it is accepted by the access point and causes a new initialization vector (IV) to be generated since that is the whole objective.

To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one. We will now explore these two concepts in more detail.

First, lets look at what characteristics a packet must have to naturally work. Access points will always repeat packets destined for the broadcast MAC address. This is a MAC address of FF:FF:FF:FF:FF:FF. ARP request packets have this characteristic. As well, the packet must be going from a wireless client to the wired network. This is a packet with the “To DS” (To Distribution System) bit flag set to 1.

So the aireplay-ng filter options we require to select these packets are:

-b 00:14:6C:7E:40:80 selects packets with the MAC of the access point we are interested in

-d FF:FF:FF:FF:FF:FF selects packets with a broadcast destination

-t 1 selects packets with the “To Distribution System” flag set on

See “Natural Packet Replay” below for an example.

Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. The objective, as always, is to have the access point rebroadcast the packet you inject and generate a new IV. As simple as it sounds, the only selection criteria you need is the “-t 1” to select packets going to the distribution system (ethernet):

-b 00:14:6C:7E:40:80 selects packets with the MAC of the access point we are interested in

-t 1 selects packets with the “To Distribution System” flag set on

We don't care what the destination MAC address is. This because in this case we will modify the packet being injected. The following options will result in the packet looking like a “natural” packet above. Here are the options required:

-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. IE Set the “To DS” field to 1.

-c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.

Saving chosen packet in replay_src-0303-103920.cap
You should also start airodump-ng to capture replies.
Sent 4772 packets...

By also including packet size filters you can easily also use attack 2 to manually replay WEP-encrypted ARP request packets. ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes:

At this point, only respond “y” if the packet is 68 or 86 bytes long, otherwise enter “n”. It now injects the packets:

Saving chosen packet in replay_src-0303-124624.cap
You should also start airodump-ng to capture replies.

As mentioned earlier, aireplay-ng can be used to replay packets from a pcap file. Notice in the previous example, aireplay-ng wrote a file called “replay_src-0303-124624.cap”. You are not limited to using files written by aireplay-ng, you can use any pcap file from airodump-ng, kismet, etc.

You then say “y” to select the packet. It then starts to inject the packets:

Saving chosen packet in replay_src-0303-124624.cap
You should also start airodump-ng to capture replies.
End of file.

Usage Tips

Additional Interactive Application

There are some interesting applications of the first example above. It can be used to attack networks without any connected wireless clients. Start the aireplay-ng attack per the example. Now sit back and wait for any packet to be broadcast. It does not matter what type. Just say “y” and bingo you are generating IVs. The tradeoff is speed, big packets yield lower IVs per second. The major advantages is it saves the steps of obtaining the xor stream (chopchop or fragmentation attacks), building a packet and launching relay attack.

This would also work on APs with clients. It would be faster since you don't have to wait for an ARP, any packet will do.

IMPORTANT: The source MAC address you use must first be associated with the AP via fake authentication.

Injecting Management Frames

You can also inject management and control frames on a per frame basis with aireplay-ng. You just need to specify a matching filter since the default one just allows wep data packets.